xigua.exe Plorexie Startpage Browser Hijacker Adware Traffic Analysis PCAP file download sample

SHA256: 9e44c764a9d3681f64f2dfc0bf62454ff463313e193d70614b0d7505204f9170
File name: xigua.exe
Detection ratio: 34 / 56
Analysis date: 2016-10-26 23:29:08 UTC ( 0 minutes ago )
Antivirus Result Update
ALYac Adware.GenericKD.3388535 20161026
AVG Generic_c.ERT 20161026
AVware Trojan.Win32.Generic!BT 20161027
Ad-Aware Adware.GenericKD.3388535 20161026
AegisLab Adware.Generickd!c 20161026
Antiy-AVL Trojan/Generic.ASMalwNS.54D8 20161026
Arcabit Adware.Generic.D33B477 20161026
Avira (no cloud) TR/AD.Plorexie.sourk 20161026
BitDefender Adware.GenericKD.3388535 20161027
CAT-QuickHeal Browsermodifier.Plorexie 20161026
Cyren W32/Plorexie.A.gen!Eldorado 20161027
DrWeb Trojan.Click3.22642 20161027
ESET-NOD32 Win32/StartPage.OVK 20161026

2016-10-25 22:56:18.223887 IP 192.168.1.102.60948 > 58.215.177.195.80: Flags [P.], seq 0:295, ack 1, win 256, length 295: HTTP: GET /618171115/xigua.exe HTTP/1.1
E..Op.@….”…f:……P…h..”.P…….GET /618171115/xigua.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: down.cdyb.net
Connection: Keep-Alive

2016-10-25 22:56:30.452318 IP 192.168.1.102.60951 > 119.28.13.101.80: Flags [P.], seq 0:276, ack 1, win 258, length 276: HTTP: GET /1/aHR0cDovLzEyMy5hMTAxLmNjL3UucGhwP2lkPTg5JnNkPW51bGwmYW50PW51bGw= HTTP/1.1
E..<9+@…z….fw..e…P&.0.T…P….”..GET /1/aHR0cDovLzEyMy5hMTAxLmNjL3UucGhwP2lkPTg5JnNkPW51bGwmYW50PW51bGw= HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 17990.vicp.net
Connection: Keep-Alive
2016-10-25 22:56:30.713143 IP 192.168.1.102.62222 > 75.75.76.76.53: 35316+ A? 123.a101.cc. (29)
E..9…….i…fKKLL…5.%&j………….123.a101.cc…..

E..(9.@…{….fw..e…P….fs.MP…t[……..
2016-10-25 22:56:31.329029 IP 192.168.1.102.60952 > 119.28.13.101.80: Flags [P.], seq 0:302, ack 1, win 258, length 302: HTTP: GET /u.php?id=89&sd=null&ant=null HTTP/1.1
E..V9/@…y….fw..e…P….fs.MP…….GET /u.php?id=89&sd=null&ant=null HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 123.a101.cc
Connection: Keep-Alive
2016-10-25 22:56:31.612516 IP 192.168.1.102.62225 > 75.75.75.75.53: 36863+ A? hao.tianqi.cc. (31)
E..;.#………fKKKK…5.’.0………….hao.tianqi.cc…..

E..(^.@….q…fy+j …PJ..E….P….}……..
2016-10-25 22:56:43.258630 IP 192.168.1.102.60953 > 121.43.106.9.80: Flags [P.], seq 0:293, ack 1, win 64240, length 293: HTTP: GET /?sd-null-ant-null HTTP/1.1
E..M^.@….K…fy+j …PJ..E….P….,..GET /?sd-null-ant-null HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: hao.tianqi.cc
Connection: Keep-Alive